dd62f4395e45db0b0b30f23cd87dc168.ppt
- Количество слайдов: 42
FOC-2 Cryptography with Low Complexity: 2 Benny Applebaum and Iftach Haitner Tel-Aviv University
Reminder: Local Functions Function f. G, Q defined by: • (m, n, d) graph G • single predicate Q: {0, 1}d {0, 1} Fm, n, Q collection {f. G, Q} where G is random (m, n, d) graph yi= Q(x 2, x 5) ym 1, x y 1 OUTPUT INPUT X 1 Xn
Goldreich’s Assumption [ECCC ‘ 00] Conjecture: for random predicate Q , and expander G, m=n Use expander graph + “good” (single) predicate inversion takes exp( (n))-time • First candidate for optimal one-way function • Random local function is whp exp-hard to invert • Constraint Satisfaction Problems are cryptographically-hard yi= Q(x 1, x 2, x 5) OUTPUT expander: every set of n/3 outputs touch 2 n/3 inputs INPUT X X
Generalization to Long Output OW-Conjecture: for properly chosen predicate Q, any graph G inversion complexity is exponential in the expansion of G Params: output length m, predicate Q, locality d, expansion quality • Larger m easier to attack security requires more “robust” predicates • Weaker variant: for random graphs no poly-time inversion • Strong variant confirmed for many classes of attacks [CEMT 09, ABW 10, A 12, ABR 12, BR 11, BQ 12, OW 14, FPV 15, AL 16, KMOW 16] yi= Q(x 2, x 5) ym 1, x y 1 See survey [A 15] OUTPUT INPUT X X
PRG variant PRG conjecture: for most graphs and properly chosen predicate Q, the resulting function is a pseudorandom generator Parameters: output length m, predicate Q, locality d Q: For output length m=ns, which predicates satisfy conjecture? Call such predicates s-pseudorandom yi= Q(x 2, x 5) ym 1, x y 1 OUTPUT INPUT X 1 Xn
Known Necessary Conditions [MST 03, …] To achieve s-pseudorandommness Q must have • Resiliency of k=2 s-1 [O’Donnel. Witmer 14] • Q is uncorrelated with parities of k-subsets of the input • Equivalently, Q is an extractor for bit fixing source Q(x 1, x 2 5) , x y 1 ym OUTPUT INPUT X 1 Xn
Known Necessary Conditions [MST 03, …] To achieve s-pseudorandommness Q must have • Resiliency of 2 s-1 [O’Donnel. Witmer 14] • Algebraic degree of s over the binary field • Otherwise, attack based on linearization + Gaussian elimination yi= XOR(x 1, x ym 2, x 5) y 1 OUTPUT INPUT X 1 Xn
Degree+Resiliency Psdrandomness? Intuition: Resiliency defeats all local attacks • Sub-exponential AC 0 circuits [ABogdanov. Rosen 12] • Semidefinite programs [O’Donnel. Witmer 14] • Statistical algorithms [Feldman. Perkins. Vempala 15] except for Gaussian Elimination which is defeated by degree Q 1: large degree & resiliency s-psdrandomness ? • Conjectured by [FPV 15] for planted CSP • Candidate [OW 14, A 14]: (W 1 … W 2 k) (W 2 k+1 … W 3 k) is k-psd
Evidence: Hardness against Linear Tests Q 1: large degree & resiliency s-psdrandomness ? Thm [ABR 12]: deg, res≥ 2 1. 24 -psd. against linear attacks y 6 … y 11 y 1 ym OUTPUT INPUT X 1 Xn
Evidence: Hardness against Linear Tests Q 1: large degree & resiliency s-psdrandomness ? Thm [ABR 12]: deg, res≥ 2 1. 24 -psd. against linear attacks • f is low-bias generator (for most graphs) • Linear tests require both resiliency and degree • Capture most known attacks (local/global) • [OW 14] Extended to s=1. 5 for XOR-AND predicate
Today (part 1) 1. Power of Linear Attacks for longer outputs 2. Power of Algebraic Attacks Refute the above conjecture & provide fixes
Characterization of Security against Linear Tests Thm 1: Q is s-psd against Linear Tests Q is k-resilient & r-bit fixing degree e for k, r, e= (s). after fixing r inputs deg(Q) e
Characterization of Security against Linear Tests Thm 1: Q is s-psd against Linear Tests Q is k-resilient & r-bit fixing degree e for k, r, e= (s). • Works for arbitrarily long outputs Cor 1: d-local low-bias generators with output n (d) Cor 2: degree+resiliency NOT imply pseudorandomness • (W 1 … W 2 k) (W 2 k+1 … W 3 k) is not 2 -psd against linear tests • Negative answer to Q 1
Necessity of bit-fixing degree Lemma: r-bit fixing degree e NOT (r+e)-psd for linear tests For 1 -o(1) fraction of graphs G, exists linear test L s. t. bias. L(f. G, P)=|Prx[L(f. G, Q(x)=1]-Pr[L(U)=1]| is positive constant
Necessity of bit-fixing degree Lemma: r-bit fixing degree e NOT (r+e)-psd for linear tests • Assume deg(Q|w 1, . . , wr =0)=e • S=set of outputs whose first r-inputs are x 1, . . , xr OUTPUT |S|=ns/nr>2 ne INPUT X 1 Xr Xn
Necessity of bit-fixing degree Lemma: r-bit fixing degree e NOT (r+e)-psd for linear tests • Conditioned on x 1=…=xr=0 all S-outputs are deg-e poly’s many linear dependencies over these polynomials Pr[L 1(y. S)=0 &… & Lr+1(y. S)=0]>Pr[x 1=…=xr=0]=2 -r • The r. v’s L 1, …, Lr+1 are (1)-far from uniform OUTPUT |S|=ns/nr>2 ne INPUT X 1 Xr Xn
Necessity of bit-fixing degree Lemma: r-bit fixing degree e NOT (r+e)-psd for linear tests • Conditioned on x 1=…=xr=0 all S-outputs are deg-e poly’s many linear dependencies over these polynomials Pr[L 1(y. S)=0 &… & Lr+1(y. S)=0]>Pr[x 1=…=xr=0]=2 -r • The r. v’s L 1, …, Lr+1 are (1)-far from uniform • Linear test over y’s with constant bias OUTPUT |S|=ns/nr>2 ne INPUT X 1 Xr Xn
Bit-fixing degree+Resiliency low-bias y 1 ym OUTPUT INPUT X 1 Xn
Bit-fixing degree+Resiliency low-bias Proof plan • “Short test” handled by resiliency+expansion [ABR 12] • “Long test” is handled by large fixing-degree + expansion y 1 ym OUTPUT INPUT X 1 Xn
Bit-fixing degree+Resiliency low-bias OUTPUT INPUT X 1 Xn
More Details (long tests) A OUTPUT INPUT
More Details (long tests) A OUTPUT K INPUT
More Details (long tests) OUTPUT INPUT
Proof Step 1: Handling frequent inputs & their neighbors. Fix all “frequent inputs” of degree>2 d/t |A|. • By Markov, at most t/2 such nodes. OUTPUT INPUT
Proof OUTPUT INPUT
Proof OUTPUT INPUT
Proof Step 2: Finding pairwise disjoint outputs Fix all inputs which do not touch a green output (potential leader) OUTPUT INPUT
Proof OUTPUT INPUT
Proof OUTPUT INPUT
Algebraic Attacks
Beyond Bit-Fixing Degree • The predicate Q=OR XOR has (k-1)-bit fixing degree of k • But Q(w)=0 implies XOR(w 1, . . , wd)=0 OR k k
Beyond Bit-Fixing Degree • The predicate Q=OR XOR has (k-1)-bit fixing degree of k • But Q(w)=0 implies XOR(w 1, . . , wd)=0 • Q is insecure: replace 0 -outputs with low-degree equations • New attack (is not captured by a linear distinguisher) How to analyze this attack? How to model it? Can we resist it? 0= XOR(x 1, x 2, x 5) 0= Q(x 1, x 2, x 5 ym ) y 1 k OUTPUT INPUT
Algebraic Attacks [Shannon 49, Patarin 95, …] Goal: Given y=f(x) recover hidden vars x=(x 1, …, xn) • Write y=f(x) as a system of polynomial equations f 1(x)-y 1=0, …. , fm(x)-ym=0 • The system is further manipulated and extended - e. g. , by multiplying the polynomials by some low-degree polynomial • Eventually a solution is found - e. g. , via linearization & Gaussian elimination, or by Grobner basis • Well studied in the cryptanalysis literature (e. g. , for LFSR-based ciphers) [Courtois 01 -03, CMeier 03, Courtois. Klimov. Patarin. Shamir 00, Faugere 99 -02] • Attacks & counter measures typically lack formal analysis • No formal model of such attacks
Formalizing Algebraic Attacks We formalize algebraic attacks via the Polynomial Calculus Proof system [Clegg. Edmonds. Impagliazzo 96] Goal: Given y=f(x) recover hidden vars x=(x 1, …, xn) 1. Initialize system of polynomial equations S={f 1(x)-y 1=0, …. , fm(x)-ym=0} 2. “Scheduler” extends S by adding either • xi*P(x)=0 for some xi and some P S or • P(x)+R(x)=0 for some P, R S 3. Terminate with solution b if S contains xi-bi=0 for all i [n] 4. Else goto 2 • Scheduler can be arbitrary • Covers known algebraic attacks • Complexity: list size or degree
Algebraic Refutation Attacks Goal: Given y=f(x) show that there’s no valid solution x=(x 1, …, xn) 1. Initialize system of polynomial equations S={f 1(x)-y 1=0, …. , fm(x)-ym=0} 2. “Scheduler” extends S by adding either • xi*P(x)=0 for some xi and some P S or • P(x)+R(x)=0 for some P, R S 3. Terminate with “un-sat” if S contains 1=0 4. Else goto 2 • Transcript of successful attack yields a proof for unsatifiability • The proof is in Polynomial Calculus
Algebraic Attacks Thm 2: Q is s-psd against Algebraic Attacks Q has rational degree of (s). Rational degree = minimal r s. t Q(w)=b deg-r relation P(w)=0 • Ex: Implies e-bit fixing degree of r-e for every e<r. Lower-bound holds against sub-exp time inversion/refutation and all outputs y Similar criteria appear in cryptanalysis literature for LFSR’s with no proofs (cf. [Carlet 10]) Cor 3: psd against linear attacks NOT imply general psd. • s Q which is s-psd against linear attacks but NOT 2. 01 -psd in general.
Proof of Corollary The predicate Q=OR XOR+XOR • has (k-1)-bit fixing degree of k • has k-resiliency But rational degree of 2 OR k k Q
Necessity of Rational Degree Lem: r-rational degree Alg. refutation w/p 1 -o(1) for m=nr Assume Q(w)=0 R(w)=0 where deg(R)=r Naïve Attempt: certify that a random y is not in the image • Replace each equation Q(x. S)=0 with R(x. S)=0 • Linearize and try to solve • If no solution output “y is NOT in the image” 0= R(x 0= Q(x 1, x 2, x 5) OUTPUT INPUT
Necessity of Rational Degree Lem: r-rational degree Alg. refutation w/p 1 -o(1) for m=nr Assume Q(w)=0 R(w)=0 where deg(R)=r • This attack can be implemented as algebraic refutation attack • But completely fails! - R(w 1, w 2, w 3)=w 1 w 2 w 3+w 1 w 2+w 2 w 3+w 1 w 3 - Linearized eq’s of the form Xijk+Xij+Xik+Xjk=0 - Always exists (fake) solution Fix: identify fake solutions by using (some) original Q-equations
Necessity of Rational Degree Certificate that y is not in the image • Set A of 2 d “disjoint” outputs • d-subset S Input(A), the eq. R(x. S)=0 derived via linearization • y. A is balanced Show: certify unsatisfiability & exists whp & yields algebraic attack OUTPUT INPUT
Rational Degree defeats Algebraic Attacks • Lower-bound against Polynomial-Calculus [Alek. Razb 01] (strong) security against algebraic refutation attacks security against algebraic inversion attacks for log space functions
dd62f4395e45db0b0b30f23cd87dc168.ppt